彈簧安全，cors錯誤，當啓用Oauth2

Question

我收到一個錯誤，同時查詢我的oauth /令牌端點。

我爲我的資源配置了cors啓用/還嘗試允許所有資源但沒有任何工作。

XMLHttpRequest無法加載http://localhost:8080/oauth/token。對預檢請求的響應 未通過訪問控制檢查：否 「所請求的 資源上存在」Access-Control-Allow-Origin「標頭。原因'http://localhost:1111'因此不允許 訪問。響應有HTTP狀態代碼401

vendor.js:1837 ERROR SyntaxError: Unexpected token u in JSON at position 0 
    at JSON.parse (<anonymous>) 
    at CatchSubscriber.selector (app.js:7000) 
    at CatchSubscriber.error (vendor.js:36672) 
    at MapSubscriber.Subscriber._error (vendor.js:282) 
    at MapSubscriber.Subscriber.error (vendor.js:256) 
    at XMLHttpRequest.onError (vendor.js:25571) 
    at ZoneDelegate.invokeTask (polyfills.js:15307) 
    at Object.onInvokeTask (vendor.js:4893) 
    at ZoneDelegate.invokeTask (polyfills.js:15306) 
    at Zone.runTask (polyfills.js:15074) 
defaultErrorLogger @ vendor.js:1837 
ErrorHandler.handleError @ vendor.js:1897 
next @ vendor.js:5531 
schedulerFn @ vendor.js:4604 
SafeSubscriber.__tryOrUnsub @ vendor.js:392 
SafeSubscriber.next @ vendor.js:339 
Subscriber._next @ vendor.js:279 
Subscriber.next @ vendor.js:243 
Subject.next @ vendor.js:14989 
EventEmitter.emit @ vendor.js:4590 
NgZone.triggerError @ vendor.js:4962 
onHandleError @ vendor.js:4923 
ZoneDelegate.handleError @ polyfills.js:15278 
Zone.runTask @ polyfills.js:15077 
ZoneTask.invoke @ polyfills.js:15369 

隨着郵差一切都運行完美。

我CORS安全配置：

@Configuration 
@EnableWebMvc 
public class WebConfig extends WebMvcConfigurerAdapter { 
    @Override 
    public void addCorsMappings(CorsRegistry registry) { 
     registry.addMapping("/**") 
       .allowedOrigins("*") 
       .allowedHeaders("*") 
       .allowedMethods("*") 
       .allowCredentials(true); 
    } 
} 

也試圖在允許的起源

代碼中添加郵差http://localhost:1111：

require 'uri' 
require 'net/http' 

url = URI("http://localhost:8080/oauth/token") 

http = Net::HTTP.new(url.host, url.port) 

request = Net::HTTP::Post.new(url) 
request["content-type"] = 'application/x-www-form-urlencoded' 
request["authorization"] = 'Basic Y2hhdHRpbzpzZWNyZXRzZWNyZXQ=' 
request["cache-control"] = 'no-cache' 
request["postman-token"] = 'daf213da-e231-a074-02dc-795a149a3bb2' 
request.body = "grant_type=password&username=yevhen%40gmail.com&password=qwerty" 

response = http.request(request) 
puts response.read_body 

Answer 1

很多掙扎後，我overrided方法配置（WebSecurity web）類WebSecurityConfigurerAdapter，因爲授權服務器自己配置它，我只是沒有找到其他解決方案。你也需要允許所有的「/ oauth/token」Http.Options方法。我的方法：

@Override 
public void configure(WebSecurity web) throws Exception { 
    web.ignoring().antMatchers(HttpMethod.OPTIONS, "/oauth/token"); 
} 

之後，我們需要添加Cors過濾器來設置Http狀態爲OK。我們現在可以使用Http.Options方法。

@Component 
@Order(Ordered.HIGHEST_PRECEDENCE) 
@WebFilter("/*") 
public class CorsFilter implements Filter { 

    public CorsFilter() { 
    } 

    @Override 
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { 
     final HttpServletResponse response = (HttpServletResponse) res; 
     response.setHeader("Access-Control-Allow-Origin", "*"); 
     response.setHeader("Access-Control-Allow-Methods", "POST, PUT, GET, OPTIONS, DELETE"); 
     response.setHeader("Access-Control-Allow-Headers", "x-requested-with, authorization"); 
     response.setHeader("Access-Control-Max-Age", "3600"); 
     if ("OPTIONS".equalsIgnoreCase(((HttpServletRequest) req).getMethod())) { 
      response.setStatus(HttpServletResponse.SC_OK); 
     } else { 
      chain.doFilter(req, res); 
     } 
    } 

    @Override 
    public void destroy() { 
    } 

    @Override 
    public void init(FilterConfig config) throws ServletException { 
    } 
}